Hi Dmitry,
I reviewed our previous discussion on setting up stunnel by envvars...
On WCE, if you really want to have a unic code to manage envvars...
well ok, you have to write a stub for ExpandEnvironmentStrings,
that either performs %XX% replacement from predefined values OR reads
those values from a wce-specific "pseudo-env-txtfile".
As there is only ONE user in WCE, it is quite straightforward to write
such stub, that will be universal for any wce terminal:
the predefined values can be identical for any wce terminal.
NB : I already mentioned that (re)configuring stunnel through envars is
not safe, at least on Win32 platforms:
on those systems, env vars are stored in the registry (and synchronised
with specific system calls): every malicious sw that can hack the
registry can change env vars, it is of course very easy in we use "user"
env vars, not system env vars.
Yours sincerelly,
Pierre
Le 10/09/2016 09:40, Dmitry Bakshaev a écrit :
> we used patched version on many workstantions (linux and windows) and
> found that this feature allows to flexibly and automatically manage
> the stunnel configuration on the workstations.
>> environment variables like $HOME, %USERNAME% and others defined once
> and never changed, that does not affect stunnel restart and
> configuration reload.
> but it allows us to have a single configuration for all users.
>> the only question that remains: how to use this feature where there is
> no environment variables (WinCE, which we do not have).
> may by ExpandEnvironmentStringsA stub specifically for WinCE?
> any comments, Pierre?
>> 2016-07-07 15:42 GMT+04:00 Dmitry Bakshaev <dab1818 at gmail.com> <mailto:dab1818 at gmail.com>>:
>>>> 2016-06-01 12:29 GMT+04:00 Pierre Delaage <delaage.pierre at free.fr> <mailto:delaage.pierre at free.fr>>:
>> Hello,
> To my mind, admin tasks such as conf file customization,
> should be performed by admin scripts, not app running in admin
> mode.
>> With *GnuWin32 *sed AND echo commands, things are really simple :
>> *stunnel.conf :**
> *
>> cert = %USERPROFILE%\.config\my.pem (windows)
>> output = %APPDATA%\stunnel.log (windows)
>>> *script "envsed.bat" on Windows :**
> *
>> cat stunnel.conf | ^
>> sed -r -e "s/^(.*)$/C\:\\Progra~2\\GnuWin32\\bin\\echo.EXE \1/e"
>> every envvar "à la windows" is expanded .... Will work the
> same in Linux.
>> yes. this is primary goal of this patch - do not edit (manually or
> with sed) config file for each user.
> if user added/removed, if port/host changed, etc.
> admin mantains only one config that fit all users.
>> If we really modify stunnel to do that job, I recommend to
> (try to) use stubs for WCE trying to keep one main code, and
> keeping an acceptable behavior in WCE, instead of playing with
> #if WCE #else etc ...
>> I am not familiar with the Windows CE, first and last time when
> seen the WinCE-device - the beginning of the 2000s. point into the
> right direction if you know.
> win32 has native ExpandEnvironmentStringsA() function,
> on other platform used stub/wrapper around getvar() function
> (#ifndef USE_WIN32).
> WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause
> do not has environment variables.
> #ifndef _WIN32_WCE - simple way to not execute unnecessary code at
> all,
> but attached patch version has ExpandEnvironmentStringsA stub for
> WinCE, please review it.
>> Another way to proceed is that stunnel recognizes a very small
> set of "pseudo-envvars", like eg we can find in samba conf
> files, such as, eg, %u for current user home folder, and that
> it expands (or "translate") internally with its own logic (of
> course using system calls if needed), but in any case, stunnel
> has to do some work for tokenization, something that I think
> dangerous : it would not be good that stunnel expands ANY
> envvar, known or UNKNOWN, without being able to predict the
> effects on its execution.
>> environment variables values owned by user. only owner or admin
> cat change it, not any-other user.
> starting process with admin/system/current_user privileges process
> inherits admin/system/current_user envvars values. stunnel not
> expands ANY or UNKNOWN envvars - only those that admin will
> specified in config file.
>> Moreover, envars can be modified on the fly in an
> unpredictable way: what if stunnel reloads the conf after an
> envvar change ? if it even does NOT detect the change, there
> may be issues ...and if it detects the change and reloads,
> there may be other issues...
>> if running process not modify envvars by himself
> ExpandEnvironmentStrings/getvar expands to values taken on process
> start.
>> Anyway, for the purpose of having multiple stunnel processes,
> running in user space, started from USER command line, it does
> not appear clear to me why an admin should create the USER
> conf files...the USER should be aware of what is he/she doing
> with stunnel?
>> admin manages stunnel and applications configuration on server and
> client side: hosts, ports, other stunnel options.
> user has own private certificate used with stunnel and works with
> applications through stunnel.
>> and it is not clear why and HOW multiple users, logged-on on
> the ?same? machine, each working in USER SPACE, should run
> stunnel simultaneously ...
>> not necessary simultaneously - stunnel may use same ports on
> localhost for all users (from one global config).
> users alternately starts his own stunnel process with own
> certificate (path expanded from one global config).
>> Question is also : if stunnel is running as a service, how
> will it deal with conf file containing ENVVARS, and what
> interest for this as system-wide stunnel just need one unique
> conf file.
>> on server or client side? for example on server with miltiple
> stunnel instances for create predictable log files names (without
> manually editing): output = /var/log/stunnel/stunnel_${SVCNAME}.log
>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160910/2874827c/attachment.html>